SoylentNews

Freeman [soylentnews.org] writes:

https://arstechnica.com/security/2023/10/iphone-privacy-feature-hiding-wi-fi-macs-has-failed-to-work-for-3-years/ [arstechnica.com]

Three years ago, Apple introduced a privacy-enhancing feature that hid the Wi-Fi address of iPhones and iPads when they joined a network. On Wednesday, the world learned that the feature has never worked as advertised. Despite promises that this never-changing address would be hidden and replaced with a private one that was unique to each SSID, Apple devices have continued to display the real one, which in turn got broadcast to every other connected device on the network.
[...]
In 2020, Apple released iOS 14 with a feature that, by default, hid Wi-Fi MACs [apple.com] when devices connected to a network. Instead, the device displayed what Apple called a “private Wi-Fi address” that was different for each SSID. Over time, Apple has enhanced the feature, for instance, by allowing users to assign a new private Wi-Fi address for a given SSID.

On Wednesday, Apple released iOS 17.1 [arstechnica.com]. Among the various fixes was a patch for a vulnerability, tracked as CVE-2023-42846 [tenable.com], which prevented the privacy feature from working. Tommy Mysk, one of the two security researchers Apple credited with discovering and reporting the vulnerability (Talal Haj Bakry was the other), told Ars that he tested all recent iOS releases and found the flaw dates back to version 14, released in September 2020.

“From the get-go, this feature was useless because of this bug,” he said. “We couldn't stop the devices from sending these discovery requests, even with a VPN. Even in the Lockdown Mode.”

Original Submission